Workflow violations are failing to trigger when DXL is configured

Issue

I have configured DXL integration in the rules.conf file and I am no longer able to trigger any violations.

Cause

This is caused by a misconfiguration that prevents a successful connection with McAfee DXL. When this occurs, the McAfee DXL client enters a retry loop which prevent the rest of the Workflow Engine from executing.

Resolution Steps

The following steps ensure the error is validated, the existing Workflow topology is killed, certificate file is re-uploaded, and the updated Workflow (rules.conf) is deployed successfully.

Verify error in Workflow/Storm logs

Kill Workflow topology

Re-upload ca.crt file to McAfee ePO server

Validate rules.conf

Deploy Workflow topology

NOTE: The ca.crt file will be needed that was used to generate the McAfee DXL keystore. If the file is not available, a new signed client certificate will need to be generated. Please refer to the Configure DXL section in the Interset 5.5.2 Installation and Configuration guide

Verify error in Workflow/Storm logs

SSH to the MASTER (ANALYTICS) NODE as the Interset User

Type in the following command to navigate to the storm log (/var/log/storm/workers-artifacts) directory:

During validation, prompts will appear that require input. These prompts will vary as they are dependent on the options that are enabled/configured. For more information, please contact Interset Support (support@interset.com)

Once all configurations are validated, please continue to the Deploy Workflow section.

Deploy Workflow

SSH to the MASTER NODE (Where analytics reside) as the Interset User

Type in the following command to deploy the updated Workflow rules.conf